Security, Privacy, and Trust

Many organizations have legitimate questions about AI-driven solutions. At Dropzone AI, we believe these concerns are not just valid—they’re essential. We built our solution with accuracy, explainability, and data privacy in mind, so you can feel confident in integrating our AI SOC analyst into your security operations.

Architecture

The Dropzone AI solution is an autonomous multi-agent AI system that is pre-trained to replicate the work of a Tier 1 SOC analyst. The main components are:

  • A dedicated cloud tenant hosted in AWS
  • An optional connector for the purpose of reaching on-premises security tools
  • LLM-as-a-service providers like Anthropic, Azure, OpenAI, Perplexity, and others
A diagram of a cloud networkDescription automatically generated
Figure 1. Dropzone AI architecture

Security

Network Security

Each Dropzone AI SaaS tenant runs in its own isolated AWS subnet. Security groups and network ACLs restrict which access is allowed. Anything not specified is denied by default. Currently all API calls initiated from the Dropzone AI solution, either directly from the cloud hosted tenant or via the on-premises connector, use HTTPS. 

Data Security Matrix

The following describes Dropzone AI's handling of data.

Type of Data Dropzone AI SaaS Tenant Dropzone AI Connector
Encryption of Data at Rest EBS encryption with AWS KMS (AES 256) N/A (no data persistence)
Encryption of Data in Transit TLS 1.2 or greater ECDSA SSH (256-bit ed25519 keys)
Data Retention Investigation data is retained until contract end or upon request; logs are stored for 30 days N/A (no data persistence)
Authentication Methods PBKDF2 SHA256 (20,000 iterations) 348-bit key

Platform Authentication and User Roles

There are two user roles available in the Dropzone AI solution:

  1. Administrator - Capable of all activities, including user management 
  2. Member - Capable of all activities, excluding user management

Third Party Assessments

SOC2

Dropzone AI has achieved SOC 2 Type 1 certification and will begin SOC 2 Type 2 certification in November 2024. Our SOC2 Type 1 audit was performed by Sensiba, LLC, and certification was delivered in November 2023. 

Third Party Penetration Tests

Dropzone AI engages a third party penetration tester annually. 

Data Privacy

Dropzone AI implements a number of measures to ensure the confidentiality of customer data. 

  1. Single-tenant architecture - The Dropzone AI platform is built following a single-tenant architecture in AWS. This assures a physical segmentation between all customers so there is no chance of data commingling. 
  2. No training on your data - Your data is not used to train our models, either at Dropzone or our sub-processors. In addition, Dropzone AI has zero-data-retention agreements in place with our LLM providers to not store customer data.

Customer Data Used

Dropzone AI uses the same security tools and IT systems to perform investigations as human analysts do to retrieve alerts, scan content, and query data. 

Alert and data source categories used by Dropzone AI include:

  • Cloud service providers
  • Email systems
  • Endpoint detection and response
  • Identity 
  • Network security products
  • Productivity 
  • SIEM 
  • Ticketing systems
  • Vulnerability management

You have control over what types of access you provide to the Dropzone AI solution. We default to read-only access. In some cases you may want to add write access, such as when writing to ticketing systems. 

GDPR and PII

Dropzone AI has achieved SOC 2 Type 1 certification and will begin SOC 2 Type 2 certification in November 2024. We operate with least privilege regarding customer environments and data, supported by strict internal policies for data access, handling, and usage. Dropzone AI fully supports EU data residency to meet GDPR data transfer requirements.

Accuracy and Explainability

The Dropzone AI solution is engineered with a specific focus on: 

  • Explainability so that humans can easily verify decisions and the criteria on which they were made
  • Data lineage to provide an audit trail, giving users confidence in Dropzone AI’s evidence-based analysis
  • Guardrails to protect against hallucinations
  • Continuous internal sandbox/lab testing and validation

How It Works

The following diagram and table explains how Dropzone AI performs autonomous alert triage and investigation. 

A flow chart of a process with the first step being investigation.
Process Step Description
Obtain information

Dropzone AI connects to your security tools and receives alerts. Customers can filter which alerts the Dropzone AI solution investigates.
Strategize and plan

Dropzone AI is pre-trained to handle a wide-variety of alert investigations, such as phishing reports and detections from EDR, firewall, identity, SaaS, and cloud service providers. For each alert, Dropzone AI will formulate multiple hypotheses of why the alert fired and the lines of investigation that need to be pursued.

Importantly, the Dropzone AI solution recursively reasons like a human. So after collecting and analyzing evidence, it will keep formulating additional hypotheses and lines of investigation until it reaches a final conclusion.
Collect evidence

To pursue lines of investigation, the Dropzone AI solution collects evidence from the customer's security tools and internal systems just as a human analyst would. Expert modules are pre-trained to replicate an analyst skill, such as using osquery to retrieve additional endpoint information or composing Splunk queries.

Dropzone AI also uses threat intelligence, reputation services, and other tools such as VirusTotal and the WHOIS database to enrich IOCs such as IP addresses and file hashes.
Analyze

Dropzone AI replicates Tier 1 SOC analyst skills needed for analysis of data. For example, the expert modules can use Wireshark to parse network packet captures for Log4J exploit markers, identify obfuscation techniques in Powershell scripts, analyze phishing attachments, and reconstruct malware process trees from commands and files.

An important feature of Dropzone AI is organizational context memory, which builds up the same type of institutional knowledge (understanding of your environment and business) that a human would. The Dropzone AI solution reads directory services, Jira tickets, and emails and perfectly recalls details when needed, such as why a SharePoint folder is OK to share with certain email addresses outside of the organization. Users can add to this context memory inside of the Dropzone AI product by teaching the solution using a natural language interface.
Report

Once the Dropzone AI solution has completed all the investigation steps, it composes a summary report that includes a recommended conclusion on whether the alert is benign, suspicious, or malicious. The conclusion is built from the findings that are explained along with data sources used, and human analysts reviewing the report have links to raw evidence (logs, etc.).

User Input and Context Memory

As you use the Dropzone AI solution more, the quality of the investigations improves as the AI SOC analyst learns about the company and environment. Importantly, this context memory is built and exists solely within the customer’s tenant and cannot be mixed with other customers’ deployments. 

Users will commonly add facts to context memory such as:

  • Owned IP ranges
  • Allowed VPN services and policies
  • Users that conduct security testing
  • Hosts with special functions
  • Internal tool names and their purposes
  • Cloud IAM roles used for automation and administration
  • Office locations

As a result of investigations, Dropzone AI will infer details such as which AWS roles have which permissions.

Avoiding Hallucinations

Dropzone AI uses multiple independent agents (expert modules) that limit the scope of what is being asked of each individual agent and avoid hallucinations. 

  • Expert knowledge - Each expert module combines LLM reasoning capability with expertise, derived from authoritative sources such as product documentation. 
  • Up-to-date information - Expert modules have access to up-to-date information by accessing internal systems, security tools, threat intelligence, and public tools such as the WHOIS and NVD databases. 
  • Specificity - When an alert is received, Dropzone AI will strategize and plan the investigation, assigning specific tasks to expert modules pre-trained to complete that type of task. 

Common Questions

Who determines which alert and data sources are enabled?

The customer is in ultimate control of which alert and data sources are enabled. Alert sources send alerts to Dropzone AI. Data sources are data stores that contain information needed during investigations. This access is mostly provisioned during the onboarding phase, but can be adjusted by the customer at any time.

Does Dropzone AI make a copy of all my logs?

No. Dropzone AI continuously pulls security alerts when configured and on-demand fetches a subset of logs from different data sources and security systems during an investigation.

Does Dropzone AI's LLM providers train on my data?

No. Dropzone AI's contracts with its LLM providers precludes both training on the data and on storing the data for any amount of time—as soon as a query is complete the LLM provider deletes all data.

Copyright © Dropzone AI 2024. All Rights Reserved.